This is my first time to analysis the flash sample. And I will show some skills and experience how to analysis the flash sample. —- (1) root cause analysis ApplicationDomain.currentDomain.domainMemory will point to a global array we defined. When we do some operation on this array, some exceptions will happened. we first compress the array, then we corrupt the array, after this, we uncompress the array, because the data in the array we changed, it will failed, and it has not notified the domainMemory, So the domainMemory still point to a old array we has free. Note: we can find the code in the avmplus(open source). —- (2) how to start First we need to find the functions in the …..

My colleague send me some exe files, he wants to check if they are really the malicious. Because in the vt, most of the anti-av say they are the malicious. Just take one as the example. You can find static and the dynamic scan details here: https://malwr.com/analysis/MzlkNGUxOWNkZmMwNGU4NjkzMTdmYWU5MzAwNWVhYzU/ From the antiav section: we found many alerts: But from the dynamic result, I found the there was no abnormal actions in the execution flow. So it’s the false positive? But many av alerts. …… At last, I found the reason working with nEINEI. The section of this PE file has been changed. The Attribute of this section has been update to rwe. And also found someone inject some datas into this section. …..